New versions of 2 virtual machines
awe, the 03/09/2013 at 08h12Comments (0)

  • Migration of W3Challs to a datacenter ;
  • Hacking VM renovated, several challenges improved/renovated, no moar simulation ;
  • 3 new challenges: 2 hacks, 1 forensic ;
  • All wargame exercices are now available without dependencies.

Migration of W3Challs to a datacenter:

Until now W3Challs was home hosted, at my place. Now that I am abroad, that's not possible anymore, so everything has been migrated to a datacenter. The migration process has gone reasonably well, there wasn't any significant service outage. Our SLA are still good!
This migration also forced me to push the latest VM versions, which were under construction for a few months:
  • The main VM: the one that hosts the site itself, as well as many other services.
  • The hacking VM: mostly web challs, but not only.

Update of the Hacking VM:

This machine was a quite old debian Lenny VM, which was therefore not updated for a while, but that was voluntary to avoid breaking some challenges (PHP version, etc).
The new VM is quite up-to-date (and we should keep it that way). It's a Hardened Gentoo VM, with a lot of hardening at several levels (kernel, binary toolchain, network access, permissions...) that I won't describe here.
The challenges that can only work on a specific version of PHP are still fine, because several PHP versions are running at the same time.

This VM architecture was completly revised to allow our challenges to work with 0% of simulation. This is also true for the very first challenges as well, that have been modified or fully recoded. Thus, it is now possible to obtain a shell on the server (hey c99.php!) from some of the first challenges.

The purpose of W3Challs is to offer realistic challenges, without simulation and guessing. The previous measures are therefore in this context, also applied to the existing challs.

Here is a summary of what was modified, with little details to avoid any spoil:

ChangesOld pointsNew points
Change your browserThe current browser is now displayed42
.htaccessCompletly renovated, now in 2 parts67
Mobile-DownloadsCompletly renovated, different vulnerability68
A basic vulnerabilityNone.99
An images galleryFully renovated.1010
Hackme Windows XPCleaner design.1111
Temporal attackNone.1313
Wi-Fi N°2None.1414
WebCompanyNo moar simulation.
Now it is required to obtain RCE to solve it (which was expected anyway).
Temporary AttackedNone.1817
Vip Web ArmyNone.2018
W3News p0wned!No moar simulation.2018
TiviWikiNew challenge!-19
pyEvaluatorNew challenge!-20
Vip Web Army IIMinor modifications.2222
W3Warz I - The Phantom MenaceNone.2323
JohnDogNo change, but the challenge doesn't run in a chroot anymore.2424

Some complementary things are still to do, such as cleaning the outdated forum posts in these challenges, etc. That will come later. (Remind me if I forget!).

Some challenges may not work anymore: most of them were tested, but the err is human.
If you have any doubt please contact me and I'll check.

If you find any exploitable "Cross Challenge Scripting" (ie, bypass of a challenge from another), I am of course very interested. In principle I created protection mechanisms a bit everywhere to avoid that, but who knows...
Please just try not to contact me to tell me that we can get the fullpath of challenges by reading the /etc/passwd (which was not possible previously). I am well aware of that, and that isn't really important :D

Removal of the Wargame dependencies:

Before, the wargame exercices needed to be solved in a specific order. At least for the basic and classic branches.
The advantage of such a system is that it forces people to persevere on challenges when they are stuck, instead of just going to the next level.
The drawback is that experienced people can't go straight to the levels they feel interesting, and they have to solve the dependencies first.

Now all dependencies were removed, on all of the wargame exercices. Therefore any member can access any wargame level.
The notion of dependencies will maybe come back in the future, but then it'll be for resource issues.

For beginners, even if all levels are now accessible, it is of course still recommended to solve these in the correct order.
For experienced challengers, you can go straight to the kernelpanic exercices, that still haven't found any solver yet!

New challenges:

3 new challenges were added!
2 python hacks, 1 forensic:
  • TiviWiki, hacking, by awe
  • pyEvaluator, hacking, by awe
  • Alzheimer, forensic, by UfoX


Any feedback is indeed welcome!